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I The desire to obtain an unconditionally secure bit commitment protocol in quantum cryp- 

tography was expressed for the first time thirteen years ago. Bit commitment is sufficient in 
I quantum cryptography to realize a variety of applications with unconditional security. In 1993, 

a quantum bit commitment protocol was proposed together with a security proof. However, 
a basic flaw in the protocol was discovered by Mayers in 1995 and subsequently by Lo and 
Chau. Later the result was generalized by Mayers who showed that unconditionally secure bit 
I commitment is impossible. A brief review on quantum bit commitment which focuses on the 

■ general impossibility theorem and on recent attempts to bypass this result is provided. 

o 
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1 Introduction 



After that Mayers obtained his general impossibility theorem for bit commitment (see the Ap- 
pendix and [|l|, H), different kind of ideas were proposed by Brassard, Crepeau and Salvail with 
the hope to realise unconditionally secure bit commitment |§. It was then realized by Mayers 
that these apparently promising ideas were also ruled out by his attack. These attempts con- 
tributed to enhance our understanding of what is going on with quantum bit commitment 
' However, no complete discussion on the subject has ever been provided in the litterature. 

Furthermore, two different proofs, each using a different approach, was provided by Mayers. 
The first approach was used in the original proof (see the Appendix and 0] ) whereas the second 
approach appeared later in Despite all these results, and the related discussion by Lo and 
' Chau , some quantum bit commitment protocols were recently proposed Q together with 

^ . a claim of security that is ruled out by the general result. Fortunately, these claims ^ were not 

published. In fact, the protocols used the same idea previously described in [|[ Q . A brief history 
of the result with proper references to original work seems appropriate. We will not describe 
the proofs again (except in the Appendix which contains the original proof of Mayers). Our 
objective is to create a wholeness for the different papers written on the subject. We will also 
discuss the general theorem in the context of the specific ideas and schemes |^ which researchers 
have tried to realize quantum bit commitment despite this general theorem. 

Before we proceed, let us briefly explain the notion of bit commitment and its impact in 
quantum cryptography. Quantum cryptography is often associated with a cryptographic ap- 
plication called key distribution 0, 0] and it has achieved success in this area H. However, 
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other applications of quantum mechanics to cryptography have also been considered and bit 
commitment was at the basis of most if not all of these other applications |l^, |ll|, |l^ . A bit 
commitment scheme allows Alice to send something to Bob that commits her to a bit b of her 
choice in such a way that Bob cannot tell what b is, but such that Alice can later prove him 
what b originally was. You may think of this as Alice sending a note with the value b written 
on it in a strongbox to Bob and later revealing him the combination to the safe. 

Alice can choose the distribution of probability of b during the commit phase. The com- 
mitment obtained after the commit phase is binding if Alice cannot change this distribution of 
probability and it is concealing if Bob cannot obtain any information about b without the help 
of Alice. The commitent is secure if it is binding and concealing. The commitment is uncondi- 
tionally secure if it is secure against a cheater, either Alice or Bob, with unlimited technology 
and computational power. In 1993 a protocol for quantum bit commitment, henceforth referred 
to as BCJL, was claimed to be provably secure pH , that is, the resulting commitments were 
thought to be unconditionally secure. Because of quantum bit commitment, the future of quan- 
tum cryptography was very bright, with new applications such as the identification protocol of 
Crepeau and Salvail jl^ coming up regularly. 

The trouble began in October 1995 when Mayers found a subtle flaw in the BCJL proto- 
col. Though Mayers explained his discovery to many researchers interested in quantum bit 
commitment his result was not made entirely public until after Lo and Chau discovered 
independently a similar result in March 1996 ||l5|. The result of Mayers was more general than 
the one obtained by Lo and Chau, but both used the same basic idea. The result of Lo and 
Chau did not encompass the BCJL protocol in which Bob can obtain an exponentially small 
amount of information. (In practice a protocol is considered secure as long as Bob cannot obtain 
more than an exponentially small amount of information on the bit commited by Alice, that 
is, an amount of information that goes exponentially fast to as the number of photons used 
in the protocol increases.) However, the final version published by Lo and Chau |l5| used the 
techniques previously used by Mayers ||lj] to prove the non security of the BCJL protocol and 
any other protocol published at the time. So, the paper of Lo and Chau [|l5j is a proper account 
of these preliminary results. 



2 The general impossibility theorem 

Now, we review the general theorem Q (see also the Appendix) which says that a quantum 
protocol which creates an unconditionally secure bit commitment is simply impossible. The 
main additionnal difficulty in the general result is that it is easy to think that measurements 
and classical communication could be used to restrict the behavior of the cheater during the 
commit phase, and thus obtain a secure bit commitment. In fact, after BCJL was shown not 
secure, the spontaneous attitude was to try alternative quantum bit commitment protocols 
by making some clever use of measurements and classical communication |]l6|] . Some of these 
protocols were proposed after that Mayers obtained the general result in March 1996 (just a little 
bit after Lo and Chau discovered their restricted result independently). All of these protocols 
were found not secure by Mayers. 

There exists two approaches to deal with measurements and classical communication in 
quantum bit commitment protocols: an indirect approach and a direct approach. In the first 
proof written by Mayers (see the Appendix) the indirect approach was used. It was shown that 
any protocol in which classical information is used is equivalent to another protocol in which 
no classical information at all is used. Then it was shown that no protocol of the latter kind 
is unconditionally secure. The first step of this indirect proof is called a reduction in computer 
science. The advantage of this approach is that, after the reduction is shown, the attack on the 
new protocol is easy to describe and analyse because there is no classical communication any- 
more. The disadvantage is that we don't deal directly with the issue of classical communication 
and measurements, that is, the attack obtained against the new protocol is not the one that 
applies on the original protocol. The attack in the new protocol does not include any classical 
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communication, whereas in the original protocol the cheater must communicate classically with 
the honest participant (otherwise this honest participant will wonder what is going on). 

We emphasize that the proof of the reduction which is not that hard must nevertheless explain 
why the cheater can still cheat in the original protocol despite the fact that he is restricted by 
measurements and decoherence which must occur because of classical communication. Otherwise 
the overall proof would simply miss the important issue of classical communication - it would 
not encompass the protocols and ideas that have been proposed recently [|[ . Because this 
issue was somehow confusing, Mayers prefered to use a more direct approach without reduction 
in 1^. So, the paper [|| directly describes and analyses the real attack that must be executed 
by the cheater. 

Lo and Chau also wrote a paper |^ to discuss the issue of quantum communication and other 
aspects of Mayers's result. They used a variant of Yao's model for quantum communication. 
The essence of Yao's model is that a third system is passed back and fourth under the control 
of each participant at their turn jl2j. Mayers's attack works fine in this model, and it is indeed 
important to verify that the attack works in such a reasonable model. With regard to classical 
communication, the discussion of Lo and Chau Q is similar to the indirect approach. 

Now, let us consider the attack. Of course, we are interested in the attack on the original 
protocol. The attack on the new protocol is just a construction in a proof. We emphasize that 
in both approaches, with a reduction or without a reduction, the attack on the original protocol 
is the same. Here we focus on the part of the attack which must be executed during the commit 
phase. (The remainder of the attack which is executed after the commit phase is the same as 
when there is no classical communication, so it creates no additional difficulty.) One ingredient 
in the attack is that the cheater keeps every thing at the quantum level except what must be 
announced classically. Assume that at some given stage of the commit phase, a participant has 
normally generated a classical random variable R, executed measurements to obtain an overall 
outcome X, and shared some classical information Y with the other participant as a result of 
previous communication. Now, assume that this participant is the cheater and that the protocol 
says he must transmit some classical information f{X,R,Y), which for simplicity we assume 
is a binary string. One might think that the cheater must have generated X and executed the 
measurements, or at the least some of them, in order to be able to compute and send f{X, R, Y). 
However, the cheater does not have to do that. He can do the entire computation of f{X, R, Y), 
including the computation of X and the measurements, at the quantum level. Only Y needs 
to be classical. Then he can measure the bits of the string f{X,R,Y) (only these bits) and 
send them to the other participant. An example is given in section |^. The final result is that 
every information is kept at the quantum level, except what must be sent classically to the other 
participant. As explained in ||^, ^ (see also the Appendix) this strategy executed during the 
commit phase either allows Boh to obtain some information about the bit commited by Alice, 
without any help from Alice, or else allows Alice to change her mind after the commit phase 
(as in the example of section ||). 

This is not the end of the story. After that the above argument was understood, Crepeau 
proposed a quantum protocol |^] that uses a computationally secure classical bit commitment 
]l7| , as a subprotocol. The idea was to rely temporarily on the limitation (in speed) on the 
cheater during the commit phase to force him to execute some measurements (or restrict his 
behavior in some other way) in order to obtain a secure bit commitment. The hope was that 
this short-term assumption could be dropped after the commit phase so as to obtain a quantum 
bit commitment not relying on any long-term assumption. The same idea was recently used 
by Kent in 0]. Salvail also proposed a protocol in which two participants, Alice and Albert 
say, want to commit a bit to Bob. Alice and Albert are sufficiently far apart that they cannot 
communicate during the commit phase. Again the hope was that this temporary restriction 
on the cheaters during the commit phase would be sufhcient to obtain a secure quantum bit 
commitment not relying on any long-term assumption. 

However, after some thoughts, one realize that the cheater in Mayers's attack executes the 
honest algorithm, the only difference is that he executes this honest algorithm at the quantum 
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level. Therefore, if the cheater has the power to execute the honest protocol (which he must 
have) and has the technology to store information at the quantum level, then he has the power 
to cheat during the commit phase, despite the fact that he has not the power to break the 
computationally secure bit commitment efficiently, or despite the fact that Alice and Albert 
cannot communicate during the commit phase. After the commit phase, the rule of the game is 
that we must drop the assumption on the computational power of the cheater, so the fact that 
a computationally secure bit commitment was used is irrelevant: the proof applies. 

3 An ExamplerHow to Break Kent's Protocol 

In this section we illustrate the discussion of the previous section by a concrete example. We 
shall show how to break Kent's proposal |^ for a quantum bit commitment scheme using a 
time-bounded computational assumption. The paper |7j describes two constructions for such a 
scheme, one allows Alice to commit and the other allows Bob to commit permanently. In this 
section we break the protocol allowing Alice to commit permanently. The other version can be 
broken by a similar attack. 

Kent's protocol |Q uses a classical and unconditionally bidding bit commitment scheme. The 
hope is that this classical scheme will constraint Alice to transmit q-bits in pure states. The 
protocol uses the BB84 coding scheme: *(0,0) = |0)+,*(0, 1) = |1)+,*(1,0) = |0)x,*(l,l) = 
|l)x. The first bit corresponds to the basis and the second bits to the encoded bit. Here is 
the essential idea behind Kent's protocol. For each i = 1, . . . , Nb, Alice picks a random pair 
{x,z) = {xi,Zi) S {0,1}^, sends a photon tTj in the BB84 state '${x,z) and execute a classical 
bit commitment BC{x, z) according to the above classical bit commitment scheme. We denote]^ 
0i — {+, x}[2,] the basis used by Alice for the photon tt^. Bob then picks a random sample 
X C {1, . . . , Nb} of size iV^ - N. For each i £ X, Bob asks Alice to unveil (x, z) e {0, 1}^ 
corresponding to the committed pair of classical bits in BC{x, z). Bob then measures tt^ in basis 
9i = {+, x}[^] and verifies that the observed outcome is indeed z € {0, 1}. The idea behind the 
remainder of Kent's protocol is very similar to the first bit commitment scheme ever proposed 
by 1^. The difference is that in Alice picks the same value for all Xi^ that is, the string of 
bases used by Alice is either -|--|-...-|-orxx...x. (See also |, |l| for a description and analysis 
of this protocol.) The basic idea is that the committed bit is encoded in the transmission basis 
for each photon tt.;. In Kent's protocol, if Alice wants to commit bit 6, she announces Xi®h for 
each I e y = {1, . . . , Nb} — X . So, the bit is commited in the choice of basis used by Alice for 
each i e y. 

The scheme is unconditionnally bidding because no information about the transmission basis 
can be obtained from any photon tt^ since the density matrix corresponding to the transmission 
in rectilinear basis 

P+ = ^|0) + (0|+ + i|l) + (l| + 
and the one corresponding to the transmission in diagonal basis 

Px -^|0)x(0|x+^|l)x(l|x 

are such that p+ = px • 

Clearly, if sends the pure states "^{xi^Zi), she cannot claim that she used the other basis, 
that is, the one associated with Xi ® 1, for each i € Y . So, if really Alice has sent the pure 
states ^{xi^Zi), the protocol should be binding. Alice can cheat in the original protocol of 
1^ by sending EPR pairs rather than a mixture of BB84 quantum states (see § for more 
details). So the resulting commitment is not binding. In Kent's protocol, if Alice cannot break 
the computational assumption during this test phase (between the time the commitments have 
been sent and the time they are opened), it is argued that Bob gets convinced that almost all 

^Notation {a, 6}[s] for s £ {0, 1} is a if s = and b if s = 1. 
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photons vTi in Y arc in the pure states '^(xi,Zi). Indeed, if this was true then the protocol would 
also be binding. However, we show that it is not the case. 



3.1 The Classical Commitment 

Let us first model the classical and unconditionally hiding commitment scheme by four one-way 
permutations 1^ /oo , /oi, /lo, /ii : {0, 1}" {0, 1}" for any integer n. In the remaining, functions 
/oo, /oi: /lo and /n need not to be distinct. To commit [x, z), Alice picks a random uniformly 
distributed w S {0, 1}" and sends y = fxz{w) to Boh. We obtain that y, the piece of evidence 
that Alice gives to Boh in order to commit on a pair of classical bit [x, z), is a random element 
uniformly distributed in {0, 1}". Here are the properties that we need to consider. 

1. The functions fxz are efficiently computable and publicly known. 

2. Given y = fxziw) no information on [x, z) is known by Boh (thus the protocol is uncon- 
ditionally hiding). 

3. Alice knows only one (x, z, w) E {0, 1}^ x {0, 1}" such that fxz{w) — y. If she manages to 
find another {x',z',w') e {0,1}^ x {0,1}" distinct from {x,z,w) such that fx'z'{w') = y 
then she can break the computational assumption (because necessarily (a;, z) ^ (a;', z')). 

We shall see that the above conditions for classical commitment, in particular the first two 
conditions, implies that the proposed method cannot ensure Boh that most of the remaining 
q-bits are in pure states. We have described a particular classical bit commitment scheme, 
but Mayers's attack works with any other classical bit commitment scheme. In the next two 
subsections we describe ^iice's attacks during the commit phase, then in the third subsection 
we explain how Alice can change her mind after the commit phase. 



3.2 Alice's Preparation 

If Alice wants to cheat the proposed protocol, as we will see, she has only to send entangled 
states rather than a mixture of BB84 states. In Kent's protocol, the use of a classical bit 
commitment scheme is intended to rule out the EPR attack. However, other entanglements can 
do the job. Let us consider the state Yl(&)) defined upon ^ € x} as Q 

|7(^)) = -I= HI/«o(«^))|0),|0), + H|/,i(u;))|l),|l),. (1) 

i«e{oa}" 

Mayers's theorem also specifies that there should be a superposition over x (or equivalently over 
(f). The idea is that every random choice, including the choice of the bases, must be done at 
the quantum level. However, this part of the superposition would collapse immediately because 
Alice must announce Xi ® 5, for the classical bit h she has chosen (this is what is specified by 
the attack). So for simplicity we ignore this part of the superposition. 

The state (|l|) can be efficiently constructed from condition 1 about the classical commitment 
scheme. The state 17(6*)) is made out of four registers which we denote from left to right 
as ru,,r/,r^ and . Now suppose Alice sends the register to Boh instead of a random 
BB84 pure state. We assume the more general case where Boh does not measure the received 
quantum states until the pure states verifications take place. This allows a more reliable test 
than measuring immediately after reception and testing later on. Let Ha be the Hilbert space 

^The same kind of argument can also be formalized for general one-way functions rather than one-way permuta- 
tions. However, no classical and unconditionally bidding bit commitment scheme is yet known to be based only on 
the existence of one-way functions. 

^In the following we sometime consider Q G {+, x} as being the bit x such that Q — {+, xjfj,]. Notations f+z{x) 
means foz{x) and fxz{x) means fizix). 

^When a quantum state is written as \w) for w £ {0, 1}" we mean \wi)+ ® . . . ® \wn) + . 
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for registers r^jTf and rf and let Hb be the Hilbert space for register rf. By construction, 
Bob receives a mixture with density matrix: 

PB = TrHAbm{im)=Pe. (2) 

^7ice's preparation consists of Nb systems Si, . . . , sn^ in quantum states |7(^i)), ■ • • , \^{0Nb)) 
for 9i Efi {+.x}. She sends to Bob the rf registers for all systems si, . . . , s^g. 



3.3 How Alice Deals With Classical Communication 

Suppose Alice has sent all Nb registers rf to Bob. Let 9i,. . . ,6nb be the Nb bases picked 
in {+, x} in order to prepare the states 17(6*1)), ■ • • , \j{dN))- (From ^Jice's point of view these 
bases, i.e. the Xi, are not random anymore.) To execute the classical commitment, Alice must 
send the classical information fxz{w). Thus far, the values of z and w are not fixed: they are 
still in superposition. As explained in the previous section, Alice does not have to obtain w nor 
z classically to compute fxz{w)- For committing, Alice simply measures in rectilinear basis all 
registers rf. She then announces to Bob, for each i G {1, . . . , N}, the result yi. That is the way 
Mayers's attack works. Each system Si is now in state 

|7'(0O) = ^ (MumeMe. + \w')\ymoM)eJ 

where w — f^.^iyi) and w' — fg.\{yi). The above state is guaranteed to occur by property 2 of 
the classical commitment scheme, and the fact that w is uniquely determined by x (or 0), z and 

y- 

Now suppose Bob asks Alice to unveil the commitment for some position i E X. Alice 
simply measures registers r^, (in basis +) and rf (in basis 9i) for the system s^. Let w and z 
be the outcomes of the measurement. Alice announces w, z and Xi to Bob. Bob always verifies 
that yi = fxiz{w). The system ends up in state 

W'{e,)) = My,)\z)oM)o, 

which leads to a successful verification by Bob. Clearly Alice can always pass the test without 
breaking the computational assumption. The main point is that Alice executes the honest 
protocol at the quantum level, so any computational bound is useless. It follows that Kent's 
verification procedure is not a verification that almost all received q-bits are in pure states since 
equation ^ is obviously not the description of a pure state. 



3.4 Breaking the Quantum Scheme 

We now show how Alice can decide freely the bit she wants to unveil. We recall that, at this 
point, the rule of the game is that all computational assumptions must be dropped. (Otherwise 
we only have a computationally secure bit commitment, and this can already be done classically.) 
After the verification procedure only the remaining systems Si with i E Y — {1, . . . , N} \ X are 
used. In order to break the quantum protocol it is sufficient to show how Alice can choose the 
transmission basis for all photons transmitted to Bob. For all i E Y the system Si is in state (we 
remove the r/ register since it is no more entangled but we remember its observed value yi): 

\j'{e,))^^{\wmoMo^ + \w')\l)o^l)e,). 

To cheat, Alice must disentangle the register and obtain the state 

W'{0,))^^i\womeMg. + \^o)\l)e.\l)e.). 
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where wq is some fixed string. If we ignore tfie disentangled registers Vf and r^, this state 
is essentially an EPR pair (modulo a unitary transformation on Alice^s side). So Alice can 
cheat as in the original attack defined in 1^. Now, wc show how Alice can disentangle r^. A 
simple way to disentangle would be to replace both w and w' by the same output feio{w) — 
fSiiiw') = Ui- This is a reversible computation executed in the computational basis defined by 
9i for and + . . . + for , so it corresponds to a unitary transformation. This answers the 
question. However, this answer is somehow misleading because it gives the impression that the 
attack is as simple as the computation of fe^oiw) = fdii{w') = yi. The problem is that one must 
still explain how the two distinct inputs w and w' can be replaced by one and the same value 
Hi. Here we show how this can be done by Alice if she can inverse the functions fetz- Because 
she knows Ui and Oi, she can compute w = fg.liui) associated with |O)0. and w' = fg liui) 
associated with \l)ei, so she can "erase" the register that is, she can set this register to by 
a bit-wise addition modulo 2. (She can also set it to any other value she wants, including y^.) 
This concludes the description of the attack. 

Although Alice breaks the computational assumption (i.e. inverse the functions fxz) in order 
to unveil the bit she wishes, this cannot be used as a building block for a secure quantum bit 
commitment where the computational assumption is no more needed after some time. This is 
for exactly the same reason than the one allowing to conclude that no quantum bit commitment 
can be built from a classical computational assumption. 



4 Conclusions 

The first proof provided for the impossibility of bit commitment (see the Appendix) has com- 
pletely obliterated the possibility of creating an unconditionally secure bit commitment. How- 
ever, the attack was only indirectly described. Subsequently, specific attempts to by-pass this 
general result were proposed ^. This has shed more light on the nature of the attack which 
was finally described explicitly in . Our goal here was to provide an analysis of this general 
attack in the context of a specific example, and to create a wholeness for the different papers 
published on the subject. The big lesson to learn from all this is that quantum information is 
always more elusive than its classical counterpart: extra care must be taken when reasoning 
about quantum cryptographic protocols and analyzing them. We hope that this paper will help 
to clarify the issue of the impossibility of bit commitment in its full generality. 
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Appendix 



This appendix contains the original proof written by Mayers and sent to few researchers by 
email on March 14 1996. A modified version of the proof, which also used a reduction, was 
published in [0 . A direct proof with no reduction was published later in |^ . 

Abstract 

It is currently known that the 1993 BCJL protocol of Brassard, Crepeau, Jozsa 
and Langlois (BCJL) is insecure. Here we provide the first proof that, not only 
this protocol, but any quantum bit commitment is cither insecure against Alice or 
insecure against Bob. 

1 Introduction 

The fact that the quantum bit commitment protocol of Brassard, Crepeau, Jozsa and Langlois 
|pl| is insecure is known for quite sometime Lo and Chau have also independently shown 
that a restricted category of quantum bit commitments is insecure fl^ . Now, we provide the 
first proof that not only these quantum bit commitment protocols, but any other quantum bit 
commitment protocol is insecure. 

The absence of quantum bit commitment is a serious concern because other quantum proto- 
cols such as quantum oblivious transfer depend on the security of bit commitment jl^, |l^, H^, |l^ . 
On the other hand, not all of Quantum Cryptography fall apart because our earlier proof of 
security for quantum key distribution |^l| holds even if secure quantum bit commitment is not 
possible despite the fact that it is based on an earlier "proof" of security for quantum oblivious 
transfer that fails in the absence of a secure bit commitment scheme. The reason is that the 
proof of security for quantum key distribution does not depend on the security of quantum 
oblivious transfer, but rather on the (correct) proof that quantum oblivious transfer would be 
secure if implemented on top of a secure bit commitment scheme. 

2 Bit Commitment 

Any cryptographic task defines the relationship between inputs and outputs respectively entered 
and received by the task's participants. In bit commitment, Alice enters a bit b. At a later 
time. Bob may request this bit and, whenever he does, he receives this bit, otherwise he learns 
nothing about b. 

In a naive but concrete realization of bit commitment, Alice puts the bit into a strong-box of 
which she keeps the key and then gives this strong-box to Bob. At a later time, if Bob requests 
the bit, Alice gives the key to Bob. The main point is that Alice cannot change her mind about 
the bit b and Bob learns nothing about it unless he obtains the key. 

3 Quantum Bit Commitment: the attack 

For every quantum bit commitment protocol Q, we shall construct a protocol Q, show that the 
security of Q implies the security of Q and then show that Q is insecure. 

Let A and B stand for Alice and Bob respectively. For any bit commitment protocol Q, the 
state space H is of the form Ha®Hb where Ha and Hb are state spaces on Alice^s side and BoVs 
side respectively. Alice^s and Sob's generation of classical variables, measurements, unitary 
transformations, etc in the commit phase of Q can be modeled by two global measurements, one 
on Alice^s side and the other one on BoVs side. These two measurements together correspond to 
an overall measurement on the entire state space H = Ha®Hb- This single overall measurement 
corresponds to the entire commit phase of Q. 
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Now, we construct Q. For every P £ {A,B}, the state space on P's side is of the form 
Hp = Hp (g) Hp. The entire state space is H = Ha <8) Hb- The additional parts H'^ and Hg 
are used to store the outcome of the overah measurement executed by Alice and Bob together, 
that is, the overaU measurement executed by Alice and Bob in the commit phase of Q becomes 
a unitary transformation on H. At the opening phase (or just after the commit phase). Bob 
and Alice obtain the classical variables stored in their respective systems and H'g, that is 
they execute the measurements that they normally execute in Q, and they continue with the 
opening phase as in Q. 

It is not hard to see that the non security of Q implies the non security of Q. Assume that 
P G {A, B} can cheat in Q. A dishonest P in Q can do exactly as P in Q. The resulting random 
situation in Q after the commit phase is the same random situation that holds in Q after that 
the other participant P has measured his quantum system Hp. So, if P succeed in Q, P also 
succeed in Q. _ 

Now, we must show that Q is insecure. It is a principle that we must assume that every 
participant knows every detail of the protocol, including the distribution of probability of a 
random variable generated by another participant. There is no loss of generality in assuming 
that at the beginning of the protocol, the overall system is in a pure state G H = Ha ^ Hb- 
the preparation of a mixture could be included as a part of the protocol. The commit phase of 
the protocol specifies a unitary transformation Ub on the entire system. So at the end of the 
commit phase, the overall system is in a final state {(pb) — Ub\ip). 

It is fair to assume that every thing outside Ha is under the control of a dishonest Bob. In 
other words, there are no third system He- For 6 = 0, 1, let and be the partial traces of 
\(f>b){4ib\ over Hb and Ha respectively. The density matrices and pf on Bob's side must be 
close one to the other, otherwise Bob can cheat. We shall do the simpler case Pq = pf . The 
more subtle case where the density matrices are not identical is done in the next section. 

Consider the Schmidt decomposition |22[ of \if)o) and respectively given by 

l'/'o)=EVA;|er^)^|/.) 

i 

and 

i 

In the above formula, Ai are eigenvalues of the density matrices p^ , Pq and p^. The fact 
that these density matrices share the same positive eigenvalues with the same multiplicity is 
part of the Schmidt decomposition theorem The states le''''') and \fi) are respectively 

eigenstates of p'^ and p^ associated with the same eigenvalue A^. Clearly, the same unitary 

transformation that maps le,-"'') into le.p-*) also maps into l^'"'^-'). We recall that Alice 

knows what are the states |0o) and Therefore, she can determine the above unitary 

transformation. 

In order to cheat, Alice creates the state \4>o). In other words, Alice does what she must 
honestly do when she has 6 = in mind. With the state l^^"-*) Alice is able to convince Bob 
that she had 6 = in mind: Alice has only to open the bit as an honest Alice would in Q with 
6 = in mind. If Alice want to change her mind, she only has to maps |^i>(o)) into before 
she continue the opening phase as if she had 6 = 1 in mind. 

4 The real situation 

Now, we consider the real situation where the density matrices po and pi are not identical. If 
the protocol is to be secure against Bob, the density matrices po and pi must respect some 
constraint. We express this constraint in terms of measurements on the n photons that return a 
binary classical outcome X e {0, 1}. We recall that Alice prepares the density matrix pb when 
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she has b in mind, that is, when B = b. Without loss of generahty, we take the convention 
that P {X = 0\B = 0) >P {X = 0\B = 1). We denote Xb the random variable X conditioned 
hy B = bso that P {X = x\B = b) ^ P {Xi, = x). The constraint is 







1 












2 



Y^P{B^b)P{Xb^b) 



6=0 



< 2- 



This constraint says that no matter which measurement Boh uses to decide between B — Q and 
B = 1, the probability of error is exponentially close to 1/2. It has been shown in jlj, |2^ , 
building on the work of ||2^, that this implies the existence of two purifications ji/'o) and 
1-01) for Pq and pf respectively such that 

(V'ol^i)'> (1-2x2-""). 

We have that \'4>o) and ji/ii) are almost the same state. 

In order to cheat, Alice prepares the state If she want to unveil 6 = 0, using the 

same argument as in the simpler case, she maps j'i/'o) into |0o) and continue as in the honest 
Q when she has 6 = in mind. If she wants to unveil 6=1, she executes on the unitary 
transformation F that would map into |(/>i). She obtains the state -F'lV'o)- The inner product 
between the desired state |0i) = F\\pi) and the actual state -F|V'o), is the same as the inner 
product {tpi\tpo) which is exponentially close to 1. So, for all practical purpose, Alice can cheat 
as in the simpler case by applying this transformation F and then continuing as in the honest Q' 
when she has 6 = 1 in mind. This concludes the proof that every bit quantum bit commitment 
is insecure. 

Note that as a consequence, Yao's proof of security for Quantum Oblivious Transfer [|l2j fails 
because it is built on insecure foundations (through no fault of Yao) . Ironically, as we stated 
in the Introduction, the proof of security for Quantum Key Distribution shown in pl} | stands 
despite the fact that it draws on Yao's work because it does not depend on the security of Bit 
Commitment. 
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